Human Factors of XR: Using Human Factors to Design XR Systems
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us As Defenders
1. CIVIL SOCIETY, PEGASUS, AND PREDATOR
Runa Sandvik / @runasand / ATT&CKcon 2023
What Sophisticated Spyware Means For Us As Defenders
2. HELLO
● From Oslo, based in NYC
● Cute cat named Pumpkin
● Certified Basic Freediver
● Hacked a wifi-enabled smart rifle once
● Analyzed Green Lambert for OS X in 2021
● Write a newsletter: journalistandspy.com
3. MY WORK
● The Tor Project
● Freedom of the Press Foundation
● The New York Times
● Founded Granitt in the summer of 2022
● Support CISA’s Cybersecurity Advisory Committee
● Aspen Institute’s Global Cybersecurity Group
≫
≪
4. CIVIL SOCIETY
● More than a 9-to-5
● Product-focused
● Deadline-driven
● Under-resourced
● High expectations
● Limited support
● Common threats
● Advanced actors
5. CISA HRCP
● More than a 9-to-5
● Product-focused
● Deadline-driven
● Under-resourced
● High expectations
● Limited support
● Common threats
● Advanced actors
Source: CISA Cybersecurity Advisory Committee September 13, 2023 Meeting Summary
8. IT’S HARD
● “Detection of attacks is more complex”
● Android “is more difficult to forensically analyse”
● iOS has “more forensic traces accessible”
● “... does not have access to all components of the spyware”
● Increase in “false, dubious or misleading claims”
9. ABOUT ATT&CK
● Knowledge base of adversary tactics and techniques
● What do we know about how Predator gains access?
● What do we know about how Pegasus maintains persistence?
● Leverage this knowledge for various defensive measures
10. ATT&CK LIMITATIONS
● Mobile Matrix not as developed as Enterprise
○ No entries for Reconnaissance and Resource Development
● Vendor creates software used by operator
○ Intellexa creates Predator used by Egypt
○ NSO Group creates Pegasus used by Mexico
● Vendor and operator become adversaries
○ Both react to reports published by security researchers
12. RECONNAISSANCE [TA0043]
The adversary is trying to gather information they can use to plan future operations.
Source: The New York Times, March 20, 2023
13. RECONNAISSANCE [TA0043]
The adversary is trying to gather information they can use to plan future operations.
Source: The New York Times, March 20, 2023
14. RECONNAISSANCE [TA0043]
The adversary is trying to gather information they can use to plan future operations.
Source: The New York Times, March 20, 2023
15. RESOURCE DEVELOPMENT [TA0042]
The adversary is trying to establish resources they can use to support operations.
Source: Amnesty International for The Predator Files, October 9, 2023
16. INITIAL ACCESS [TA0001]
The adversary is trying to get into your network.
Source: Citizen Lab, August 24, 2016
17. INITIAL ACCESS [TA0001]
The adversary is trying to get into your network.
Source: Citizen Lab, December 20, 2020
18. INITIAL ACCESS [TA0001]
The adversary is trying to get into your network.
Source: Citizen Lab, September 22, 2023
19. INITIAL ACCESS [TA0001]
The adversary is trying to get into your network.
Source: The Washington Post for the Pegasus Project, December 21, 2021
23. ADVICE 2016 - 2022
● Don’t click on links from strangers
● Make sure you update your phone
● Reboot your phone once a day
● ¯_(ツ)_/¯
24. ADVICE 2022 - 2023
● Don’t click on links from strangers
● Make sure you update your phone
● Reboot your phone once a day
● Enable Lockdown Mode on iOS
● ¯_(ツ)_/¯
27. SELENA LARSON, ATT&CKcon 2022
● BLUF: detail the findings that matter to your stakeholders
● The report should contain relevant information
● Your readers should not need a thesaurus
● Consider how your report will be used
● Be aware of your audience
Source: Selena Larson’s keynote at ATT&CKcon 2022
28. CISA HRCP
● More than a 9-to-5
● Product-focused
● Deadline-driven
● Under-resourced
● High expectations
● Limited support
● Common threats
● Advanced actors
Source: CISA Cybersecurity Advisory Committee September 13, 2023 Meeting Summary
29. FINDINGS
● Who’s the victim?
● What happened?
● How did it happen?
● Where did it happen?
● Who attacked them?
● What’s your advice?
30. FINDINGS
● Who’s the victim?
● What happened? – Researcher
● How did it happen? – Researcher
● Where did it happen?
● Who attacked them?
● What’s your advice?
31. FINDINGS
● Who’s the victim?
● What happened? – Researcher, Analyst
● How did it happen? – Researcher, Analyst
● Where did it happen?
● Who attacked them?
● What’s your advice? – Analyst
32. FINDINGS
● Who’s the victim? – Lawyer
● What happened? – Researcher, Analyst, Lawyer
● How did it happen? – Researcher, Analyst
● Where did it happen? – Lawyer
● Who attacked them? – Lawyer
● What’s your advice? – Analyst, Lawyer
33. THAT’S A LOT
● Yes, sophisticated spyware adds complexity
● Stakeholders include:
○ Advisors
○ Analysts
○ Researchers
○ Lawyers
○ Civil society
34. BUILDING ON ATT&CKcon 2022
● Yes, detail findings that matter to your stakeholders
● And be aware of your entire audience
● Direct different readers with boxes, headlines, colors
● Report on attacks against civil society must have advice
● Include mitigations by other vendors